Researcher who found Hospira drug pump flaws says more models are vulnerable

Security researcher Billy Rios has verified that more Hospira infusion pumps are vulnerable to the same security issues, since they use "identical software."

A security researcher who discovered vulnerabilities in widely used drug pumps – prompting the Department of Homeland Security and the U.S. Food and Drug Administration to issue public safety alerts – revealed that a number of drug pump models distributed by the manufacturer in question are vulnerable to the same issues, since they use “identical software.”

Last month, the FDA and DHS warned that the LifeCare PCA3 and LifeCare PCA5 infusion pump systems by Hospira were impacted by flaws which, “if exploited, could allow an unauthorized user to interfere with the pump's functioning,” and ultimately, “access the pump remotely and modify the dosage it delivers, which could lead to over-or under-infusion of critical therapies,” the FDA safety alert said.

In case the warning wasn't enough to inspire action, including device owners taking mitigation steps to prevent exploitation, researcher Rios now reveals in a Monday blog post that “many of Hospira's infusion pumps utilize identical software on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3 [infusion pumps].”

While DHS has provided mitigation steps for device operators, the health care sector still awaits an updated version of the LifeCare products (Version 7.0), since it is currently under review by the FDA.

Furthermore, Rios said Monday that, after doing his own analysis of additional Hospira drug pump models, he can verify that that the LifeCare PCA3 and LifeCare PCA5 (referenced in the DHS and FDA advisories) are vulnerable, along with Hospira's Plum A+ infusion pumps, PCA LifeCare pumps, and Symbiq pumps. Luckily, the Symbiq line is no longer sold by Hospira, which announced in 2013 that it would phase out the line due to FDA quality concerns.

Rios, who spoke to Wired in a Monday article about the drug pump concerns, also suspects that the following Hospira models are impacted by the aforementioned security issues (though he hasn't yet verified through testing): Plum A+3, Plum 360, Sapphire and Sapphire Plus, all found here. In his blog, the researcher noted that vulnerabilities in the various lines could allow an attacker to forge drug library updates to affected infusion pumps, and allow an unauthenticated telnet shell “to root to the communications module.” The products also use identical hardcoded credentials, private keys and encryption certificates across different device lines, as well as “a slew of outdated software” representing more than 100 separate vulnerabilities, alone, Rios explained in his blog.

Given the public attention to previously reported vulnerabilities in PCA3, and findings that the impacted software is “identical on many Hospira communication modules,” Rios said that he finds it “impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines.”

At press time, Hospira had not responded to an SCMagazine.com query.

Hospira, a Lake Forest, Ill.-based pharmaceutical and medical device firm with approximately 19,000 employees, agreed in February to be acquired by pharma giant Pfizer for approximately $17 billion – a deal expected to close in the second half of this year. The company's drug pumps are used throughout the globe and, according to a company fact sheet from April (PDF), Hospira has five manufacturing facilities throughout the U.S. and 11 outside of the country.